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[57] ABSTRACT 

Low-level network services are provided by network- 
service-provider plugins. These plugins are controlled by an 
extensible service provider that is layered above the TCP or 
other protocol layer but below the Winsock-2 library and 
API. Policy servers determine priority of network traffic 
through control points on a network. Examining packets 
passing through these control points provides limited data 
such as the source and destination IP address and TCP ports. 
Many applications on a client machine may use the same IP 
address and TCP ports, so packet examination is ineffective 
for prioritizing data from different applications on one client 
machine. Often some applications such as videoconferenc- 
ing or data-entry for corporate sales are more important than 
other applications such as web browsing. A application- 
classifier plugin to the extensible service provider intercepts 
network traffic at above the client's TCP/IP stack and 
associates applications and users with network packets. 
These associations and statistics such as maximum, average, 
and instantaneous data rates and start and stop time are 
consolidated into tables. The policy server can query these 
tables to find which application is generating network traffic 
and prioritize the traffic based on the high-level application. 
Bandwidth-hogging applications such as browsers can be 
identified from the statistics and given lower priority. 

20 Claims, 14 Drawing Sheets 
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CLIENT-SIDE APPLICATION-CLASSIFIER 

GATHERING NETWORK-TRAFFIC 
STATISTICS AND APPLICATION AND USER 

NAMES USING EXTENSIBLE-SERVICE 
PROVIDER PLUGIN FOR POLICY-BASED 
NETWORK CONTROL 

RELATED APPLICATION 

This application is a continuation-in-part of the 
co-pending application for "Ordering of Multiple Plugin 
Applications Using Extensible Layered Service Provider 
with Network Traffic Fltering", U.S. Ser. No. 09/042,306, 
filed Mar. 13, 1998, now pending. 

FIELD OF THE INVENTION 

This invention relates to software for computer networks, 
and more particularly to client plugins for identifying appli- 
cation traffic-signatures, signaling traffic priorities, and for 
generating network statistics for policy servers. 

BACKGROUND OF THE INVENTION 

Computer networks such as the Internet are driving 
increased acceptance of personal computers. Network com- 
munication began with text-only e-mail and file -transfer 
protocols (FTP), but with improved user interfaces and 
graphics, graphical browsing has become commonplace. 
Mission-critical business transactions, corporate database 
queries, and even video conferencing and voice telephone 
calls all use the Internet. 

Not surprisingly, the Internet and local networks are 
becoming crowded. Simply increasing bandwidth is expen- 
sive and often only shifts bottlenecks to another part of the 
network. While users may not notice delayed e-mail, Inter- 
net browsing can become painfully slow during times of 
network congestion. Video conferencing and telephony suf- 
fer poor quality and even gaps of lost speech when the 
network is slow. 

FIG. 1 illustrates differing priorities of various kinds of 
network traffic. Two-way video and audio communications 
such as video conferencing and Internet telephony must 
have their packets delivered over the network in real time, 
or parts of the conversation are lost. Thus these services 
must have the highest priority in most networks. Business- 
critical applications such as financial transactions and 
accesses of corporate databases have moderately high pri- 
ority. Browser traffic to the world-wide-web has a lower 
priority since much of this traffic is for information gathering 
and personal uses. However, browser traffic should not be so 
slow as to irritate the users. Lowest in priority are file 
transfers and e-mail, since these are usually not needed 
immediately. 

Server traffic tends to have a higher priority than client 
traffic, since business-critical applications reside on corpo- 
rate servers. Clients are usually individual desktop PC's. 

Quality-Of-Service Network Policy 

Attempts have been made to improve transmission speed 
of higher-priority traffic. Bandwidth-shaping or traffic- 
shaping delays low-priority traffic so that higher-priority 
packets can pass through with less delay. Quality-of-Service 
(QOS) is thus improved. Bandwidth can be reserved for the 
highest-priority applications such as video conferencing. 
See for example, U.S. Pat. Nos. 5,644,715 and 5,694,548, by 
Baugher et al, assigned to IBM; also U.S. Pat. No. 5,673, 
322 by Pepe et al„ and U.S. Pat. No. 5,136,581 by 
Muehrchke, assigned to Bell Labs. 
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2 

Can't Determine Priority of IP Packets— FIG. 2 

Ideally, a network device such as a router would read a 
packet's header and determine the priority of that packet 
from fields in the header. Unfortunately, determining the 
priority of packets passing through a network point is 
problematic. Simple filtering software can be used to iden- 
tify packets using certain network protocols such as TCP, or 
certain Internet Protocol (IP) addresses. 

j 0 FIG . 2 shows an Internet p acket . Port fields 23 , 24 identify 
which ports were assigned by the network software for 
communication with a higher-level application requesting a 
communications session. Destination port field 23 specifies 
the port on the destination machine, while source port field 

15 24 specifies the port on the source machine. Protocol 26 is 
a field identifying the network protocol used, such as TCP or 
UDP. Destination address field 28 contains the IP address 
that the packet is being sent to, while source address field 29 
contains the IP address of the sender of the packet. The 

20 contents or data of the packet, perhaps with additional 
higher-level headers, is contained in data field 22. 

While some applications may use certain ports, many 
applications use standard ports, such as port 80 for web 
browsers. Sometimes these ports are dynamically assigned 

25 to applications, so that different ports are used by the same 
application at different times. Simply reading port fields 23, 
24 does not uniquely identify applications, so it is difficult 
to determine priority based on port fields 23, 24. Most 
applications use the TCP protocol, so protocol field 26 

30 likewise does not uniquely identify users or their applica- 
tions. 

IP address fields 28, 29 often uniquely identify a user or 
a server machine, and IP-address filtering has been used to 
restrict access by children to adult -only web sites. IP-address 

35 filtering has been less successful for blocking unwanted 
"junk" or "Spam" e-mail, since the IP-address fields are 
often altered to hide the originating IP address. Larger web 
sites may use many IP addresses that may dynamically 
change as the web site is updated. Even client machines can 

40 have dynamically-assigned IP addresses rather than a static 
IP address. In some organizations, many users share an IP 
address. Thus determining packet priority using IP addresses 
is not effective. 

Ideally, the names of the high-level application on the 

45 client and on the server machines should be collected. The 
high-level application names could then be uses for priori- 
tizing IP packets from these applications, rather than use IP 
addresses and TCP ports. 

50 Policy-Controlled Network— FIG. 3 

FIG. 3 is a diagram of a network that controls traffic using 
policy rules. Client PCs 10, 12 send IP packets over local 
network 15 to corporate server 16 and Internet 20. Edge 

5S device 14 is a router, switch, gateway, modem or other 
network device that connects local network 15 to Internet 
20. Traditionally, routers such as edge device 14 have simply 
passed all packets through roughly in the order received, 
without regard to priority. 

60 Edge device 14 is able to block or delay packets to and 
from Internet 20 so that higher-priority packets experience 
less delay than lower-priority packets. Edge device 14 may 
examine packets and apply policy rules to determine which 
packets to accelerate and which to delay. 

65 Policy server 18 sends the policy rules to edge device 14. 
Bandwidth information is sent back from edge device 14 to 
policy server 18. This bandwidth information might indicate 
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the current bandwidth available to Internet 20 or local to the network media using physical layers such as a 

network 15, or other traffic or load statistics such as the kinds media-access controller (MAC). 

of packets appearing. The bandwidth information may be Wmle direct communication from Winsock-2 library 34 
used by policy server 18 to re-pnontize packets passing t o TCP layer 40 can occur, Winsock-2 provides a service- 
through edge device 14 by adjusting the policy rules sent to 5 provider interface (SPI) to third-party software modules 
edge device 14. For example, when edge device 14 detects known as i ayered providers or layered service providers 
video conferencing packets passing through, policy server Instead of having many layered providers all communicating 
18 can reduce the bandwidth allocated to other kinds of wit h TCP layer 40, a single extensible service provider 50 is 
packets to reserve additional network bandwidth for video- installed. Extensible service provider 50 intercepts all net- 
conferencing packets. io work traffic at a lower level than the applications. Extensible 

Often higher-priority packets are generated by corporate service provider 50 fits between Winsock-2 library 34 and 

server 16 than client PCs 10, 12. Policy server 18 can set a TCP layer 40, operating on data sent from Winsock-2 library 

higher-priority policy for corporate server 16 when certain 34 to TCP layer 40 for transmission. Extensible service 

kinds of packets appear in the bandwidth information from provider 50 is "extensible" since it allows for the expansion 

edge device 14. 15 0 f network services. 

While such a policy-controlled network is effective, Extensible service provider 50 manages or controls the 

newer technologies make determining the priority of packets execution of additional network services provided by ptu- 

more difficult. Low-priority web browsing from client 10 gins 52. Plugins 52 are reduced in size and complexity 

can be identified by the IP address for client 10 and port 80 compared with layered service providers because overhead 

used by the browser. However, newer software installed on 20 functions and filtering is performed for all plugins by 

client PC 12 dynamically assigns ports to applications. IP extensible service provider 50. 

addresses may also be changed using Dynamic Host Con- plugins 52 provide varfous ^ aetwQrk such as 

figuration Protocol (DHCP). The application may ^pear as encryption, compression, security, proxies, or re-routing, 

port 50 one day, but port 22 on another day. The IP address ^ ese network seryices are transparent to high level app u_ 

assigned to client PC 12 may also be dynamically assigned * cations 32 ^ can be activated for aU applications usi tne 

or even shared by other client PCs. network ExtensibIe provider supplies a frame * ork 

Identifying web browser traffic from client PC 12 is thus f or managing and ordering a wide variety of plugin services, 

quite difficult. Client PC 12 1 could be downloading huge PoUcy servers are desirable for prioriUzing and regulating 

graphics images from the Hubbell Space Telescope for network traffic. Policy servers can better prioritize IP pack 

personal use, swamping tne capacity ot the network, while ets wheQ ^ originatirlg ^ p]ic ^ on aQC j 

user are known. 

client 10 waits to read text-based ^formation from an M[h h IP ackets do not identif me high . level ap Hca . 

important customer over Internet 20. Network chaos erupts ^ 0f uscr ^ gent ^ d ^j^^ ^ JXl to 

when even a few users hog bandwidth for low-pnonty tasks. policy It fc desifed to coUect informatioQ sllch as the 

Security software may encrypt packets. Encryption may 35 originating application and user from client and server 

include the source IP address and port, preventing other machines that can be used by the policy server in making 

devices and servers from reading the source address of priority decisions. 

packets. However, information must be collected from the client 

Extensible Service Provider Accepts Network- and server machines in a manner that is transparent to 

Service Plugins FIG, 4 40 high-level applications. It is desired to install plugins on 

^ . TT ^ „ VT rtrt(rtJ1A client and server machines that can be queried by the policy 
The parent application, U.S. Ser. No. 09/042,306, hereby server A specia iized plugin for the extensible service pro- 
incorporated by reference, discloses in detail an extensible vider is desired mat monitors and ^Wecis information on 
service provider that manages and orders network-service nelwork traffic from a client or server ^ information 
plugins. FIG. 4 is a diagram of a network architecture using 45 inchldes the orig i na t ing and destination high-level 
an extensible service provider that manages and orders app i ica tions, data rates, and users. It is desired to prioritize 
network-service plugins. The architecture is based on network traffic based on high .i evel applications and users 
Winsock-2, the second-generation network architecture for rather man i ow _i e vel IP addresses and TCP ports. 
Microsoft s Windows operating systems. Winsock-2 pro- 
vides connections or " sockets" for high-level applications to 50 SUMMARY OF THE INVENTION 
connect to a network. A socket is the identifier for a given 

connection, or for a connectionless data-gram flow. A client-side application-classifier has an upper interface 
High-level applications 32 send and receive information to a higher-level network-socket library. The higher-level 
to a network by making calls to Winsock-2 library 34. network-socket library provides high-level network func- 
Winsock-1 calk from high-level applications are also routed 55 * 10DS t0 hl S n " level applications by generating a socket 
through in a similar fashion. These calls use an applications- for ^necting t0 a remote machine on a network. A lower 
programming interface (API) that defines the function calls mtcrfacc 15 to a network-transport layer that formats data for 
and their syntax. Winsock-2 library 34 is a dynamic-link transmission over the network. An interceptor is coupled 
library (DLL) of these function calls and other network- bctwcen lhc upper and lowcr interfaces. It intercepts net- 
support routines. 60 work events - 

Earlier versions of Winsock communicated directly with ^ examiner is coupled to the interceptor. It examines the 

the lower TCP layer 40, which provides a Transmission network event intercepted and collects statistical informa- 

Control Protocol for establishing sessions with remote hosts uon about the network event. The statistical information 

over a network. TCP layer 40 sends data to IP layer 42, includes: 

which splits the data into Internet-Protocol IP packets and 65 an application name of one of the high-level user appli- 

adds header information such as the source and destination cations that caused the network event; 

IP address. IP layer 42 sends and receives these IP packets a timestamp for the network event; 
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a byte count when the network event is a transfer of data A route table is coupled to the network enhancer to store 
over the network; the routing information for the network packets. The exam- 
Internet addresses and ports when the network event is a inti is coupled to the route table to determine a source 
connection or a data transfer; and address of either the first MAC adapter or of the second 
a process identifier of a running instance of the high-level 5 MAC ^P** or other MAC adapters when the source 
user application. address is not available from the upper interface. Thus 
A consolidator is coupled to the examiner. It consolidates source addresses for clients with two network connections is 
the statistical information into application-classifier tables. obtained by the network enhancer below the TCP/IP stack. 
The application-classifier tables include current tables for BRIEF DESCRIPTION OF THE DRAWINGS 
currently-running instances of applications, and historical 

tables that include closed applications. A reporter is coupled p I G - 1 illustrates differing priorities of various kinds of 

to the consolidator. It sends the statistical information from network traffic. 

the application-classifier tables to a remote policy server on FIG. 2 shows an Internet packet. 

the network. The statistical information includes the appli- FIG. 3 is a diagram of a network that controls traffic using 

cation name. Thus the statistical information for network 15 policy rules. 

events is collected by the client-side application-classifier. F IG. 4 is a diagram of a network architecture using an 

In further aspects of the invention the interceptor is an extensible service provider that manages and orders 

extensible service provider and the examiner is an network-service plugins 

application-classifier plugin to the extensible service pro- FIG. 5 is a diagram of an application-classifier that plugs 

vider. The extend* service provider controls other plugms int0 an extensible ^ ^ netWQrk * 

providing low-level network services. __ . . „ , . , , . . 

In still further aspects the examiner generates an event . FIG fi 6 f a .' a " e of f ' e ° ts * at ' n ^V ht W^Uon- 

object containing the statistical information. The event c ass ^ er ? l * gin t0 361,(1 da,a objects 10 tbe «»ta>H« 

classification 

object is sent to the consolidator and written into the 

application-classifier tables. The network event is: 25 FIGS 7A " 7E show definitions for objects that transfer 

v *u 1 i- data about network events from the application-classifier 

an application startup event when a high-level application , . , f , . n # , ^ " 

is initialized* plugin to the controller for classification and storage. 

.... \ t , *i_ l- u i i i- FIG. 8 shows the current and historical tables of network 

an application cleanup event when the high-level appli- even(s mailltained b the Ration-classifier consolidator. 

cation is terminated; 30 _ . 

. , 4 , . - FIGS. 9 A, 9B are diagrams of the format of an entry in the 

a socket open event when a new socket is opened; consolidates tables. 

a socket close event when a socket is closed; FIG. 10 illustrates dual-level application-classifier plu- 

a connect event when a connection is made from a client gins when multiple network addresses are used by a client. 

to a remote server; ^ FIG n shows how me application-classifier plugin is 

an accept event when a connection is accepted from a useful for providing information for policy control applica- 

remote client; tions in a policy server, 

a send-complete event when a flow of data has been sent FIG. 12 is a diagram of a network using policy rules 

from the client to the remote server; and determined by queries of application-classifier plugins 

a receive-complete event when a flow of data has been 40 installed on clients. 

sent from the remote server to the client. nrcTATT en nccnDiDTinw 
In further aspects the statistical information for all net- UblAILBD DESCRIPTION 
work events includes a process identifier. The application- The present invention relates to an improvement in net- 
classifier tables are indexed by the process identifier. The work policy servers and their clients. The following descrip- 
application-classifier tables store for each flow of each 45 tion is presented to enable one of ordinary skill in the art to 
high-level application: make and use the invention as provided in the context of a 
the process identifier; particular application and its requirements. Various modifi- 
the timestamp; cations to the preferred embodiment will be apparent to 

the application name- thoSC with m ^ C art ' and ^ S encral principles defined 
^ L [ , . 50 herein may be applied to other embodiments. Therefore, the 
the byte count when the network event is a transfer of data prcsent invent ion is not intended to be limited to the par- 
over the network; and ticular embodiments shown and described, but is to be 
Internet addresses and ports when the network event is a accorded the widest scope consistent with the principles and 

connection or a data transfer; novel features herein disclosed, 

and wherein an application-classifier table for a high-level 55 

application contains: High-Level Better Than Low-Level for 

maximum, average, and most-recent data-transfer rates Prioritization 

for flows generated by the high-level application. The inventors have realized that policy servers typically 

In other aspects the network-transport layer is a TCP/IP prioritize network traffic based on low-level IP addresses 

data communications stack coupled to a first network 60 and TCP ports. Low-level prioritization is undesirable 

through a first media-access control (MAC) adapter and because IP addresses and TCP ports are often shared by 

coupled to a second network through a second MAC adapter. many applications and users. All applications and users 

The client-side application-classifier also has a network sharing IP addresses and ports would be given the same 

enhancer that is coupled between the network-transport priority. Even when IP addresses are statically assigned to 

layer and the first and second media- access controllers. It 65 one machine, all applications on that machine may need to 

intercepts network packets and extracts routing information be given the same priority, even though some applications 

including source and destination network addresses. are inherently more important than others. 
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Ideally, a user is given high priority when using corporate information such as the source and destination IP address. IP 
applications such as client databases and sales forms, but layer 42 sends and receives these IP packets to the network 
lower priority when using personal, non-business applica- media using physical layers such as a MAC adapter. Mix- 
tions such as web browsing or graphics downloading. This tiple high-level applications 32 can spawn multiple pro- 
requires that the names of the high-level applications and 5 cesses that use multiple stacks such as TCP/IP and other 
users be used for prioritizing network traffic, not just the IP protocols (not shown). 

addresses and TCP ports. Instead of having many layered providers communicating 

The names of the high-level application and its users on with each other and TCP layer 40, a single extensible service 

the client and on the server machines can be collected using provider 50 is installed, as described in detail in the parent 

the invention. The high-level application names are then 10 application. Extensible service provider 50 intercepts all 

used by a policy server to prioritize IP packets from these network traffic at a lower level than the applications. Exten- 

applications, rather than only use IP addresses and TCP sible service provider 50 fits between Winsock-2 library 34 

ports. The high-level application and user names are then and TCP layer 40, operating on data sent from Winsock-2 

associated with a traffic signature. The traffic signature is a library 34 to TCP layer 40 for transmission. Extensible 

unique representation of the user's application network 15 service provider 50 is "extensible" since it allows for the 

traffic which can include the IP address, TCP port, and some expansion of network services. 

of the data in the packets. Packets matching the traffic Extensible service provider 50 manages or controls the 
signature can then be identified at various points in a execution of additional network services provided by phi- 
network and acted upon. Thus network traffic is prioritized g ms . Plugins are reduced in size and complexity compared 
by user and application, rather than by machine. 2° with layered service providers because overhead functions 
Since a policy server cannot consistently identify a high- and filtering is performed for all plugins by extensible 
level application by examining the IP packets passed service provider 50. 

through the network, the invention identifies network traffic Plugins provide various extra network services such as 

by application and user. A software module on client or encryption, compression, security, proxies, or re-routing, 

server machines collects information on network traffic from 25 These network services are transparent to high level appli- 

each client or server. A plugin for the extensible service cations 32 and can be activated for all applications using the 

provider on a client or server machine collect statistics on network. Extensible service provider supplies a framework 

network traffic that can be read by a policy server. The for managing and ordering a wide variety of plugin services, 

collected statistics are arranged by user and high-level One such plugin is application-classifier plugin 51. Other 

application and include data rates and time stamps. plugins (not shown) may also be installed and controlled by 

Current Invention is a Plugin Module for ESP of cxt * ns * lc P^vider 50 and thus co-exist with 

Parent Application application-classifier plugin 51. One or more filters can be 

" performed by extensible service provider 50 to reduce the 

The parent application, U.S. Ser. No. 09/042,306, hereby 35 amount of traffic that activates application-classifier plugin 

incorporated by reference, discloses in detail an extensible 51. In the preferred embodiment no filters are used so that 

service provider (ESP) that manages and orders network- all network traffic activates application-classifier plugin 51. 

service plugins. The current invention includes a plugin Thus network statistics are collected on all traffic passing 

module for the extensible service provider described in the through extensible service provider 50 to and from TCP 

parent application. This plugin module is used to collect 4Q layer 40. 

network-traffic statistics and identify traffic signatures for Application-classifier plugin 51 is a Windows DLL that is 
applications. Since the traffic signatures collected include loaded by extensible service provider 50 on initialization, 
the name of the .high-level application, the plugin is known Extensible service provider 50 reads a list of plugins to load 
as an appfication-classifier engine (ACE) plugin. from the Windows registry and loads all the listed plugins, 
The application-classifier plugin resides on client and/or 45 including application-classifier plugin 51. When 
server machines and each collects network statistics for application-classifier plugin 51 is loaded, it attaches itself to 
packets originating from or received by the machine. A one or more of the filters registered with extensible service 
policy server gathers information from the machines by provider 50. In the preferred embodiment, application- 
polling the application-classifier plugin in each client and classifier plugin 51 attaches itself to a universal filter that 
reading the collected statistics. Alternately, each client can 50 activates application-classifier plugin 51 for all network 
periodically send the collected information to the policy traffic. 

server. The policy server can then make policy decisions and When an event occurs, such as a command or call from 

prioritize network traffic based on the information collected Winsock-2 library 34 or from TCP layer 40, or completion 

from the clients' application-classifier plugins. 0 f network I/O, extensible service provider 50 compares the 

* v ™ „, y j-. o * 55 properties of the event to each of its filters and generates an 

Application-Classifier Plugs Into Extensible Service ^ aU pluging {q ^ 



Provider— FIG. 5 



FIG. 5 is a diagram of an application -classifier that plugs Application-Classifier Components 

into an extensible service provider for network services. When an event activates application-classifier plugin 51, 

High-level applications 32 send and receive information to eo a data object containing details of the event is sent to 

a network by making calls to Winsock-2 library 34. These controller 62. Controller 62 classifies the event and updates 

calls use an applications-programming interface (API) that tables maintained by application-classifier-engine (ACE) 

defines the function calls and their syntax. Winsock-2 library consolidator 60. Consolidator 60 keeps tables of the most- 

34 is a dynamic-link library (DLL) of these function calls recent events for each application and process, but also 

and other network-support routines. 65 keeps historical tables of past events, even for applications 

TCP layer 40 sends data to IP layer 42, which splits the that have closed their connections and sockets. Statistical 

data into Internet-Protocol IP packets and adds header fields in the tables are also updated, such as the number of 
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bytes sent by an application or any of its processes, and SocketConnect objects are generated by the application- 

timestamps when connections were opened and closed. classifier phigin when one of the closely-named Winsock 

A remote policy server can access the tables stored by API functions is called. For example, when an application 

consolidator 60 by connecting with DCOM server 64. opens a socket with a WSASocket API call, Winsock-2 

DCOM server 64 contains proxy and stub objects that hide 5 generates a WSPSocket SPI call to the extensible service 

the details of network communication from higher-level provider, which activates the application-classifier plugin at 

application programs. DCOM server 64 uses Microsoft's the SocketOpen entry point. When the lower-level TCP layer 

Distributed-Component-Object Model (DCOM) of distrib- determines that the connection with the remote machine has 

uted programming objects. Winsock-2 library 34 receives been made) the ConnectComplete event is generated, 

calls from DCOM server 64 that send and receive data 10 Djfferent ^ of ^ ^ ^ for ^ ^ 

?h™ I tppi ^r^r^iTH P ? 1 ™ c EventSockettnit data-object definition (FIG. 7B) is used 

through TCP layer 40 and P layer 41. When a remote policy lo e ^ Socket0 ^ Socketaose objects sent to 

h!TntTn nCC tH 3 f 1 SCrVer ^ T w" thc ACE controller > whilc * e EventSocketState data-object 

be sent from the remote policy server, over the network to 1 fi , uir , . „ A . . 0 , * , 

A M1 0 ™ f - . ' . n « . c , . definition (FIG. 7C) is used to generate the SocketBind, 

controller 62. The request can instruct controller 62 to fetch ^ c^u^a™^ c 1 *n 7 u- * t. *l 1 

f*u * ui * au i-j * rn j j SocketAccept, and SocketConnect objects when the socket 

one or more of the tables stored by consolidator 60 and send :„ „u*„„a j * u r>- jo r* a ^ 1 * 

tU . ! . 1 , I * * u 1 ■ . 11 state 1S changed and the BindComplete, AcceptComplete, 

them back over the network to the policy server. Controller „ _ j n™™^?^™^^ 

j # ✓ j 1 1 • 1 . 1 and ConnectComplete events occur. 

62 and DCOM server 64 can be combmed into a single _ , , , _ 

controller module Completed data transfers signaled by the RecvComplete 

D 1 4 - - r *• 1 u 1, , JL * afl d SendComplete events generate the Socketln and Sock- 
Real-time information may also be collected by a remote 20 ,n * u- * u- u 1 j _ . , VJf 
,. r •* * 11 etOut objects, which are based on the Eve ntSocketDataXfer 
policy server. The policy server can register with controller A . , . . , - 
5- f 3 , ■ * . 1 « , „ & , data-object definition (FIG. 7D). 
62 for certain kinds of events. For example, a policy server „. K t J 

may need to know when a certain high-priority, high- Flow events occur when a datastream completes. A flow 
bandwidth application such as videoconferencing opens a 15 a "nnected TCP data stream or a sequence of uncon- 
connection. The policy server can send the registration 25 nected (UDP) data-grams to and/or from a unique IP address 
request through DCOM server 64 to controller 62. When- md P ort - For TCP (connection onented) steams, Connect- 
ever a connection for the high-priority videoconferencing 9? m V™ the st f rt of a flow * most cases - Some 
application is opened and the event received by application- Winsock applications do not wait for completion of a 
classifier plugin 51, controller 62, on receiving the event connection: they simply initiate the connection and attempt 
object from application-classifier plugin 51, sends the event 30 t0 ^ nd or re . ceive > ^ &umm B that data is transferred when the 
object to DCOM server 64 to be immediately sent over the connection is made. In this special case, the triggering event 
network to the policy server. The policy server can then for J the flow j s ^ combination of a ConnectComplete event 
reserve bandwidth for the videoconferencing application's and successful data transfer, signaled by RecvComplete and 
packets before they arrive. SendComplete events. 

nt . „ ^. . For unconnected UDP data-grams, the first data success- 
Objects Generated by Application-Classifier Plugin Mly ^ or receiyed from a Tp addfess and Tcp/ 

for Events— FIG. 6 UDp poft defines the staft of a flow ^ fe indicated by the 

FIG. 6 is a table of events that trigger the application- RecvComplete and SendComplete events that generate the 

classifier plugin to send data objects to the ACE controller Socketin and SocketOut objects. 

for classification. Events are generated by the Winsock-2 4Q when the flow begins, either the ConnectComplete event 
library when an application starts or ends, when it opens or f or TCP or the RecvComplete and SendComplete events for 
closes a socket, when the connection state of the socket TjDP, the FlowStart object is generated, based on the Event- 
changed, and when data is sent or received. Flowlnit data-object definition (FIG. 7E). The end of the 

Events can be grouped into three categories. Application flow is signaled by the Socketaose event, which generates 
events occur when a high-level networking application on 45 a FlowStop object also based on the EventFlowInit data- 
the client machine opens or closes. Socket events are gen- object definition 89. 
erated when a socket is opened, closed, changes its connec- 
tion state, or the data is sent or received. A flow event occurs ^ ata Objects FIGS. 7A-7E 
when a datastream begins or ends. FIGS. 7A-7E show definitions for objects that transfer 

FIG. 6 shows that the EventAppStart object is generated 50 data about network events from the application-classifier 

by the application-classifier plugin when an application plugin to the ACE controller for classification and storage, 

startup event occurs. A startup event is signaled by the The triggering events for these objects were shown in FIG. 

extensible service provider by activating the application- 6. Each of the tables in FIGS. 7A-7E and 9 A, 9B describe 

classifier plugin at the Startup entry point. The EventApp- array data objects that are transferred. 

Stop object is generated when an application cleanup event 55 FIG. 7A shows the EventAppInit data-object definition. A 

occurs, such as when the extensible service provider acti- version number is the first parameter in the definition. A 

vates the application-classifier plugin at the Cleanup entry timestamp is stored for the time that the event activated the 

point. The application starting up or cleaning up makes a application-classifier plugin. The unique process ID for the 

Winsock-2 API call, which is passed down to the extensible Winsock process that originated the event is stored in the 

service provider which generates the proper entry point into 60 ProcessID field. One application can spawn several network 

the application-classifier plugin. processes, but each process is identified by a unique ID 

Either the AppStart or the AppStop object generated by assigned by the Windows operating system, 

the application-classifier plugin is sent to the ACE control- The name of the high-level application is retrieved using 

ler. The AppStart and AppStop objects use the EventAppInit the Win32 API library call GetModuleFileName. Thus the 

data-object definition, shown in FIG. 7A. 65 objects based on EventAppInit data-object definition include 

Several different kinds of socket events can occur. The the names of the application, user, and host, as well as a 

SocketOpen, SocketClose, SocketBind, SocketAccept, and timestamp and the unique process ID. 
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FIG. 7B shows the EventSocketlnit data-object definition. 
Aversion number, timestamp, and the unique process ID are 
stored. The socket handle and the network-layer (IP, IPX) 
and transport-layer (TCP or UDP) protocols are also stored. 

The application and user names are not contained in the 5 
socket objects since the unique process ID can be used to 
associate the information with the corresponding application 
and user. An event created by the process such as a Startup 
event contained the application and user names. Thus the 
consolidator already has the association of the unique pro- 10 
cess ID to the application before any socket events occur. 

FIG. 7C shows the EventSocketState data-object defini- 
tion. A version number, object timestamp, and the unique 
process ID are stored. The socket parameter is the value of 
the socket handle assigned by the Winsock library. The local 15 
and remote addresses are also stored. These are the desti- 
nation and source IP addresses and TCP/UDP ports. For 
SocketBind objects, the remote address is not yet known and 
the remote address field is set to zero. 

20 

The EventSocketDataXfer data-object definition is shown 
in FIG. 7D. Again, a version number, timestamp, and the 
unique process ID are stored. The socket address and the 
local and remote addresses are also stored. The number of 
bytes in the transfer is also stored in the Bytes parameter. 25 
The number of bytes transferred is a useful statistic, since 
the policy server can use it to determine the bandwidth used 
by the application. Bandwidth hogs can thus be identified. 

FIG. 7E highlights the EventFlowInit data-object defini- 
tion. Flows are sequences of data packets sent or received 30 
between two endpoints. The version number, timestamp, and 
the unique process ID are stored. A unique flow ID that was 
assigned by the ACE plugin is also stored, since each 
process can generate several flows. 

The transport-layer and network-layer protocols are 35 
stored in the flow object. The source and destination IP 
addresses and TCP/UDP ports are also stored in the object. 

Current and Historical Tables in Consolidator — 

FIG. 8 4 o 

FIG. 8 shows the current and historical tables of network 
events maintained by the application-classifier consolidator. 
Statistical data stored in the tables include overall byte 
counts of data sent or received, average and maximum bytes 
sent/received per second, and start and stop timestamps of 45 
processes and flows. 

Current tables 92, 94, 96 are snapshots of currently- 
running applications, processes, and flows. When a flow, 
process, or application closes, its table entry is deleted from 5Q 
the current tables. Thus a policy server reading current tables 
92, 94, 96 might not see statistics for applications or flows 
that recently closed. 

Historical tables 91, 93, 95 contain entries for both 
running and closed applications, processes, and flows. His- 55 
torical tables 91, 93, 95 can contain only a limited number 
of entries; once the limit is reached, the oldest entry of all the 
applications, processes, or flows is deleted to make room for 
a new entry. Flow historical table 95 is more likely to fill up 
before process historical table 93 or application historical $o 
table 91, since a single application can generate several 
processes, and each process can generate many flows. Of 
course, the sizes of the tables can be adjusted to allow more 
room for flow table 95 and process table 93 than for 
application table 91. 65 

Application tables 91, 92 each contain no more than one 
entry for each application. Network statistics are consoli- 
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dated into the single entry for all processes and flows for the 
application. Thus a policy server can read an entry for a 
specific application to find out how many bytes the appli- 
cation has sent or received, regardless of how many con- 
nections have been made for the application. This allows 
high-bandwidth applications to be quickly identified. If two 
or more instances of an application are running, their net- 
work statistics are combined into a single entry in applica- 
tion table 92. Thus if a user as multiple browser windows 
running, the total browser traffic can be found in application 
table 92. Likewise, when an application is closed and 
restarted, a running total statistic for all previous instances 
of the application is kept. Restarting the application thus 
does not reset the usage statistics. 

A finer granularity to network statistics is stored by 
process ID in process tables 93, 94. Each unique process ID 
contains one entry per table. When another instance of an 
application is started, a second process ID is assigned to it, 
and a second entry is created in process table 93. When an 
application is closed and later restarted, the restarted appli- 
cation has a different process ID than the application did 
before it was closed. Separate entries are stored in historical 
process table 93, although only the running processes have 
an entry in current process table 94. 

Flow tables 95, 96 provide the finest granularity of 
network statistics. Each unique flow has its own entry. 
Different flow ID's are assigned to each flow generated by 
an application. Their entries are placed into historical flow 
table 95. 

Storage space can be reduced when the consolidator 
stores only flow tables 95, 96. When the policy server or 
ACE controller reads an entry in the application or process 
tables, the entry can be generated on the fly by the consoli- 
dator. All flow-table entries for the requested process or 
application are read, and their entries merged. Byte counts 
are summed, and average and maximum transfer rates and 
start and stop times are calculated for the process or appli- 
cation. Since table queries are less frequent than updates, 
overall processing is reduced by storing just the finest- 
granularity tables and generating the coarser-table entries. 

Consolidator Table Entries— FIGS. 9A, B 

FIGS. 9A, 9B are tables of the format of an entry in the 
consolidator J s tables. Again, a version number, the unique 
process ID and the flow ID are stored. For application 
entries, the most-recent process ID and most-recent flow ID 
are stored. Process entries store the most-recent flow ID. The 
application and user names stored at the end of the entry 
allow the application and user names to be found. The start 
and stop times of applications, processes, or flows are stored 
in historical tables. For current tables, the application, 
process, or flow has not yet terminated, so the stop time is 
set to zero. For historical tables, the stop time is the time the 
last process instance of the application or flow was termi- 
nated. 

The transport protocol (TCP, UDP, etc.) is stored along 
with the source and destination IP addresses and TCP ports. 
For application and process tables, these are the addresses 
and protocols for the most- recent flow. 

Statistical information, such as byte counts, is also stored. 
Separate fields store the total number of bytes sent and the 
total bytes received for the application, process, or flow. The 
maximum and the minimum number of bytes sent or 
received in any one-second period is stored in the MinRate 
and MaxRate fields. The average byte rate is stored as 
AvgRate. 
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A sample of the rate can be taken over a specified period. Plugins Useful for Policy Control — FIG. 11 

The number of bytes sent and received during the sample FIG. 11 shows how the application-classifier plugin is 

period is stored m DeltaBytesSent and DeltaBytesRecvd. use ful for providing information for policy control applica- 

The length of the sample period is stored as DeltaRate. In ti ons m a policy server. The application-classifier plugin can 

FIG. 9B, a flow table is shown. It contains an array of flows, 5 periodically send the collected statistics to a server by 

with each flow as shown in FIG. 9A. All the flows on a creating network calls to send packets containing the statis- 

machine can be counted using the flow table of FIG. 9B. tics , ^ application-classifier plugin is transparent to 

MAC-Level Route-Table Plugin-FIG. 10 ^ ^J!^ 011 ' SinC '. U .°P«ates between the 

^ Winsock-DLL called by the applications and the lower-level 

FIG. 10 illustrates dual-level application-classifier plu- 10 TCP/IP stack, 

gins when multiple network addresses are used by a client. Policy control is implemented by policy server 18, which 

Some client machines connect to more than one network. collects detailed statistics of network traffic from various 

For example, the client machine may have two Ethernet network nodes such as client 10. High-level applications 32 

LAN cards, or a Token-Ring and an Ethernet card, or a i n client 10 include www browsers, corporate database 

Ethernet card and a dial-up modem connection. Two IP 15 v i ewers an d data-entry terminal apps, and workgroup apps 

addresses are assigned to the client machine. Packets from suc h as network-enabled word processors and spreadsheets 

TCP/IP layers 40, 42 may be assigned either IP source and other editors. Winsock-2 library receives calls from 

address, depending on which network the data is sent out applications 32 for access to the network. These calls are 

over. For unconnected UDP datagrams, Winsock is not paS sed down to extensible service provider 50, which filters 

notified by TCP/IP layers 40, 42 of which IP address is used. 20 mese calls and executes orie or more pidgins. 

Thus application-classifier plugin 51 is not able to determine Application-classifier plugin 51 intercepts and analyzes 

the source IP address for this special case. me ne twork traffic from client 10. The analyzed or modified 

Network enhancer 68 is a low-level network driver data from application-classifier plugin 51 is sent back to 

installed below IP layer 42 but above media-access- extensible service provider 50 and sent down through TCP 

controller MAC drivers 70, 70'. MAC drivers 70, 70' are 25 layer 40 and IP layer 42 and finally out over the network, 

software drivers that transfer data to network adapter cards Eacn cventj such as opening or closing a socket, making 

on the client machine and control the cards. Two different or breaking a connection, or transferring data packets is 

network connections are made by MAC drivers 70, 70', each intercepted by application-classifier plugin 51. The event is 

using a different source IP address. analyzed and classified by application-classifier controller 

Network enhancer 68 is installed by the operating system 62, which updates tables in application-classifier consolida- 

as a low-level driver (a Network Device Interface Specifl- tor 60. Thus statistics on network traffic from client 10 are 

cation NDIS shim) that intercepts all outgoing and incoming stored in the tables of application-classifier consolidator 60. 

network traffic. A filter is used by network enhancer 68 to The Winsock-2 API is provided for use by the plugins. 

intercept only ARP Address Resolution Protocol data that is ^ This API is useful for allowing the plugins to communicate 

sent prior to a datagram, since the ARP protocol specifies the with remote servers such as the policy server. For example, 

destination and source IP addresses. The filter activates application-classifier controller 62 can use Winsock calls to 

route-table plugin 66 when ARP traffic is detected. Route- sen d ("push") data over the network using TCP layer 40" 

table plugin 66 is a plugin module that receives the IP and IP layer 42". 

addresses from network enhancer 68. The destination and Policy ^tr 18 may observe some packets from client 

source IP addresses are captured by route-table plugin 66 10> 5ut does not taoyf what priority to ^ gn to them A 

and stored in a route table of source and destination IP policy application 32 can make a call to Winsock-2 library 

addresses by route-table plugin 66. 34- that ^ ^ extensible ^icc provider 50', TCP 

When an unconnected datagram is sent through extensible layer 40', and IP layer 42' to client 10 over the network. This 

service provider 50 to TCP/IP layers 40, 42, application- 45 call can be directed to DCOM server 64 in client 10, asking 

classifier plugin 51 queries route-table plugin 66 for the what kind of traffic was recently sent. DCOM server 64 

source IP address used by TCP/IP layers 40, 42. reads the tables in application-classifier consolidator 60 to 

Application-classifier plugin 51 then generates the event obtain the desired information. DCOM server 64 then 
object using the source IP address obtained from route-table responds to policy server 18 by sending the desired 
plugin 66, and sends the event object to controller 62. 50 information, such as a tog of packets sent, together with their 
Controller 62 classifies the event object and updates the applications 32 that generated the packets and other high- 
application, process, or flow tables in ACE consolidator 60. level information that may not be contained in the packets 
A remote policy server can read the table objects of con- sent. 

solidator 60 through DCOM server 64 as described earlier. Other information may be requested by policy server 18, 
Application-classifier plugin 51 queries route -table plugin 55 such as the number of bytes sent by any particular applica- 
66 by performing a user-mode to kernel call. Such kernel tion 32 on client 10, or the total number of packets sent in 
calls can hurt performance. However, such a call is required a time period. The highest burst rate of packets or the 
only once for each new flow, and only for clients connected average packet transmission rate can also be obtained, 
to two or more networks. An alternative is to store the route DCOM server 64 allows easier object-oriented program- 
table in the Windows registry. 60 ming techniques to be used, hiding the details of network 
The inventors have recognized this unusual problem communication from higher-level programmers. Stub and 
caused by Winsock-2 not providing the source IP address for proxy objects are used on local and remote machines to 
unconnected datagrams. The problem is only apparent when facilitate communication over the network. Extensible ser- 
two or more network adapters are connected to a system. vice provider 50' on policy server 18 is not required and can 
Dropping prices of network adapter cards and use of 65 be eliminated in some embodiments, 
modems may make dual-network systems more common in Thus policy server 18 is able to query client 10 by using 
the future, application-classifier plugin 51, which analyzes and logs 
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network traffic from client 10. More sophisticated schemes collected using the invention. The high-level application 

could have policy server 18 deciding that the traffic from names then can be used for prioritizing IP packets from these 

client 10 is low-priority, and instructing application- applications, by associating the application name and its 

classifier plugin 51 or another traffic-blocking plugin (not associated flows with traffic signatures. Thus network traffic 

shown) to block traffic from a particular application 32 in 5 is prioritized by user and application, rather than by 

client 10. Thus network traffic can be blocked from the machine. A user may have high priority when using corpo- 

source. rate applications such as client databases and sales forms, 

The policy enforcer (policy server) is able to identify the but lower priority when using personal, non-business appli- 

user and the high-level application of network packets by cations such as web browsing or graphics downloading, 

polling the application-classifier on the client machine. The 10 Information can be collected from the client machines in 

IP address and TCP port are sent from the policy server to a manner that is transparent to high-level client applications, 

lookup the packet's user and application in the history tables Phigins installed on client machines can be queried by the 

kept by the application-classifier consolidator. policy server. A specialized application-classifier ACE plu- 

Plugins enable policy controls to be implemented in a ? in for the extensible service provider monitors and collects 
manner transparent to higher-level applications. Plugins 15 information on network traffic from a client. This informa- 
provide a way for network software to more closely examine 11011 metals the originating and destination high-level 
network traffic from any machine, and even exert control applications, data rates, and users. Network traffic is priori- 
over that machine's traffic. tlze( ^ based on high-level applications rather than low-level 

IP addresses and TCP ports. 

Policy Server Queries Clients — FIG. 12 20 The layered network architecture of the extensible service 

FIG. 12 is a diagram of a network using policy rules provider allows multiple third-party service providers to be 

determined by queries of application-classifier plugins installed in addition to the application-classifier ACE plugin. 

installed on clients. Policy server 18 queries application- ^ Wmsock-2 architecture is expanded for network ser- 

classifier plugins installed on client PC's 10, 12, as vices Prided at a low level. These network services can 

described for FIG. 5. The DCOM servers on client PC's 10, 25 transparently intercept network traffic. The complexity of 

12 are used by policy server 18 to connect and read the ACE layered providers is reduced and redundant filtering by each 

tables stored by the consolidators. Thus policy server 18 is layered provider is eliminated by using the extensible ser- 

able to determine which high-level application and which vice Provider. An expandable system that manages, 

user is sending packets through edge device 14 by perform- organizes, and orders low-level network service providers is 

ing a lookup of the ACE tables on client PC's 10, 12 for the 30 attained - Plugins are executed in a functionally correct order 

flow table having the source and destination IP addresses even wneD manv layered service provider plugins from 

and TCP ports of the packets seen at edge device 14. The different vendors are installed. 

application and user names are stored with the matching plugins are simplified compared with Winsock-2 

entry in the flow table. layered service providers, since overhead for communica- 

Policy server 18 can also find bandwidth-hogging appli- 35 tion ^ thc Winsock-2 library and the TCP layer are 

cations by reading all historical application ACE tables on handled b ? lne exten sible service provider. Since there are 

client PC's 10, 12, and comparing the average and maxi- manv w msock-2 functions that are not used by most 

mum byte rate fields to acceptable thresholds. Applications V l *& ns > the overhead for these seldom-used functions is 

with high transmission rates can be identified, and policy contained m the extensible service provider, reducing the 

server 18 can instruct edge device 14 to block or delay 40 com plexity °f the plugins. Complex I/O such as blocking, 

packets for flows originating from these applications. The non-blocking via messages or events, and overlapped are 

flows for an application can be read from the ACE tables. handled by the ESP. 

Client PCs 10, 12 send IP packets over local network 15 ALTERNATE EMBODIMENTS 

to corporate server 16 and Internet 20. Edge device 14 is a 45 Several other embodiments are contemplated by the 

router, switch, gateway, modem or other network device that inventors. For example, many software implementations 

connects local network 15 to Internet 20. Edge device 14 is us j ng many different programming languages are possible, 

able to block or delay packets to and from Internet 20 so that ^ invention may be adapted for UNIX and other operating 

higher-priority packets experience less delay than lower- systems, as well as future versions of Windows. Indeed, 

priority packets. Edge device 14 may examine packets and 50 UNIX-DCOM servers are now appearing, allowing a UNIX 

apply policy rules to determine which packets to accelerate policy server to access the application-classifier tables resid- 

and which to delay. mg on a windows machine. Rather than use distributed 

Policy server 18 can still send a policy query to corporate objects, the information can be sent using a management 

server 16, which may or may not have the application- protocol such as SNMP or via FTP. 

classifier plugin installed. Corporate server 16 can respond 55 Edge devices may also be installed at internal points in a 

that certain of its packets are high or low priority. Also, network, such as between sub-nets in a corporate Intranet, 

corporate server 16 may indicate if an IP address is high or Many edge devices can be employed in a single network, 

low priority. Indeed, the invention can be applied to traffic within a local 

Low-priority web browsing from client 10 can be iden- network or within an Intranet. One or more policy servers 

tified by finding the application name in the flow tables for 60 collect information from application-classifiers on clients or 

the IP address for client 10 and port 80 used by the browser. at intermediate points, and control these edge devices. 

Even dynamically assigns ports or IP addresses can be Routers, bandwidth control boxes, switches, firewalls, and 

associated with their sending applications. Virtual Private Networking (VPN) boxes, as well as Net- 

AmMWTAPcc ncTuc TMUHKmnxi wor k Management systems can use need the information 

ADVANTAGES OF THE INVENTION ^ t iU r «• 1 c -j . . ,. 

65 that the application-classifier can provide. These intermedi- 

The names of the high-level application and its associated ate devices can be integrated with clients or servers using the 

user on the client and on the server machines can be invention. 
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Edge devices may not only limit traffic from certain 
applications identified by the application-classifier, but 
modify the traffic as well. For example, some applications 
may transmit confidential or sensitive information. The edge 
devices can encrypt packets for flows from such applications 5 
identified by the application-classifier. The application- 
classifier plugin itself, or another installed plugin can be 
used to block network traffic from the client, rather than the 
edge device. The policy server can program the plugin on the 
client machine to block packets from certain low-priority 10 
applications, or block after a threshold number of bytes have 
been sent in a time period. Thus network traffic can be 
blocked at the source, the client PC. 

The invention can also be used for other classification 
purposes. Identifying application traffic enables security, * 5 
access, routing, discard, and other tasks. Decisions can be 
made either remotely through a policy server or infrastruc- 
ture device (gateway, router, bandwidth control device, or 
switch) or locally on the host system itself. In a very simple 
case, the invention can be used locally to effectively include 20 
the policy server on the same system. This approach might 
enable a user of a cable modem or DSL service to request a 
higher level of service from a network (and promise to pay 
accordingly). Usually, this selection of service would be 
done per application, e.g. if the user wanted to receive real 25 
time video, invoke IP telephony, or just get a file transferred 
more quickly. 

Security applications can examine outgoing packets and 
encrypt packets only from certain applications, such as 
financial applications. Other applications from the same IP 30 
address, such as e-mail, can be skipped and sent out without 
encryption. 

Other network-based, distributed-object programming 
standards besides DCOM can be substituted, such as 35 
CORBA or COPS. Future improvements to Winsock-2 can 
also be used with the invention. Earlier versions of Winsock 
communicated with both TCP and UDP, and UDP can be 
substituted for the TCP layer with the invention. 

The invention has been described as filtering packets. 40 
However, data may not yet be divided into the final packets 
transmitted over the network media when intercepted by the 
extensible service provider. The data sent from the 
Winsock-2 library functions down to the extensible service 
provider and the TCP layer may be further divided by the 45 
TCP and IP layers into smaller packets for transmission. 
Thus the term "packets" when used for the extensible 
service provider do not strictly refer to the final transmitted 
packets, but to the data and header information that will 
eventually form one or more packets. 5Q 

The invention can also work with other protocols such as 
SNA, IPX, X.25, etc. It is not restricted to IP (TCP, UDP, 
etc). The invention is extensible to perform more granular 
classification of traffic. For example, print and file transfer 
traffic may be mixed with interactive traffic sent from a 55 
single application. The invention can break these out into 
unique flows, identifying the traffic signatures for each 
'subflow*. Two examples of this are tn3270 which combines 
terminal traffic, print traffic and file transfer traffic in a single 
telnet session, and a SAP/R3 application which has a variety 60 
of financial transaction types (including printing). The 
invention can provide extensions to identify the traffic 
signatures of individual transactions. 

The foregoing description of the embodiments of the 
invention has been presented for the purposes of illustration 65 
and description. It is not intended to be exhaustive or to limit 
the invention to the precise form disclosed. Many modifi- 



cations and variations are possible in light of the above 
teaching. It is intended that the scope of the invention be 
limited not by this detailed description, but rather by the 
claims appended hereto. 
We claim: 

1. A client-side application-classifier comprising: 

an upper interface to a higher-level network-socket 
library, the higher-level network-socket library for pro- 
viding high-level network functions to high-level user 
applications by generating a socket for connecting to a 
remote machine on a network; 

a lower interface to a network-transport layer, the 
network-transport layer for formatting data for trans- 
mission over the network; 

an interceptor, coupled between the upper and lower 
interfaces, for intercepting network events; 

an examiner, coupled to the interceptor, for examining the 
network event intercepted and collecting statistical 
information about the network event, the statistical 
information including: 

an application name of one of the high-level user 

applications that caused the network event; 
a timestamp for the network event; 
a byte count when the network event is a transfer of 

data over the network; 
Internet addresses and ports when the network event is 

a connection or a data transfer; and 
a process identifier of a running instance of the high- 
level user application; 
a consolidator, coupled to the examiner, for consolidating 
the statistical information into application-classifier 
tables, the application-classifier tables including cur- 
rent tables for currently-running instances of 
applications, and historical tables that include closed 
applications; and 
a reporter, coupled to the consolidator, for sending the 
statistical information from the application-classifier 
tables to a remote policy server on the network, the 
statistical information including the application name, 
whereby the statistical information for network events is 
collected by the client-side application-classifier. 

2. The client-side application-classifier of claim 1 wherein 
the interceptor is an extensible service provider and wherein 
the examiner is an application-classifier plugin to the exten- 
sible service provider, the extensible service provider for 
controlling other phigins providing low-level network ser- 
vices. 

3. The client-side application-classifier of claim 1 wherein 
the examiner includes means for generating an event object 
containing the statistical information, the event object sent 
to the consolidator and written into the application-classifier 
tables. 

4. The client-side application-classifier of claim 1 wherein 
the network event is selected from the group consisting of: 

an application startup event when a high-level application 
is initialized; 

an application cleanup event when the high-level appli- 
cation is terminated; 

a socket open event when a new socket is opened; 

a socket close event when a socket is closed; 

a connect event when a connection is made from a client 
to a remote server; 

an accept event when a connection is accepted from a 
remote client; 

a send-complete event when a flow of data has been sent 
from the client to the remote server; and 
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a receive-complete event when a flow of data has been 
sent from the remote server to the client. 

5. The client-side application-classifier of claim 4 wherein 
the statistical information for all network events includes a 
process identifier, wherein the application-classifier tables 
are indexed by the process identifier. 

6. The client-side application-classifier of claim 5 wherein 
the application-classifier tables store for each flow of each 
high-level application: 

the process identifier; 

the timestamp; 

the application name; 

the byte count when the network event is a transfer of data 

over the network; and 
Internet addresses and ports when the network event is a 

connection or a data transfer; 
and wherein an application-classifier table for a high-level 

application contains: 

maximum, average, and most-recent data-transfer rates 
for flows generated by the high-level application. 

7. The client-side application-classifier of claim 1 wherein 
the network-transport layer is a TCP/IP stack coupled to a 
first network through a first media-access controller and 
coupled to a second network through a second media- access 
controller, the client-side application-classifier further com- 
prising: 

a network enhancer, coupled between the network- 
transport layer and the first and second media-access 
controllers, for intercepting network packets and 
extracting routing information including source and 
destination network addresses; and 
a route table, coupled to the network enhancer, for storing 

the routing information for the network packets; 
the examiner coupled to the route table to determine a 
source address of either the first media-access control- 
ler or of the second media-access controller when the 
source address is not available from the upper interface, 
whereby source addresses for clients with two network 
connections is obtained by the network enhancer below the 
TCP/IP stack. 

8. A computer-implemented method for classifying net- 
work flows from a client, the method comprising: 

calling a socket function for opening or transmitting data 
through a socket-connection for connecting a high- 
level application to a remote machine on a network, the 
socket function being a function in an applications- 
programming interface (API) used by high-level appli- 
cations to access the network; 

activating an extensible service provider before the data is 
sent from the socket function to a lower network- 
transport layer, wherein the data is intercepted by the 
extensible service provider, the extensible service pro- 
vider for evaluating filters to determine which plugins 
need to be executed; 

activating an application-classifier plugin attached to the 
extensible service provider before the data is sent to the 
network-transport layer; 

collecting statistical information including a name of the 
high-level application generating the data, a user name, 
a timestamp, and a number of bytes transmitted when 
the application-classifier plugin is activated; 

consolidating the statistical information collected by the 
application-classifier plugin in application-classifier 
tables; and 

sending the statistical information to a policy server on a 
remote machine on the network, wherein the policy 
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server prioritizes the data using the name of the high- 
level application obtained from the application- 
classifier plugin on the client, 
whereby the policy server prioritizes network data based 
on names of high-level applications obtained from the 
application-classifier plugin on the client. 

9. The computer-implemented method of claim 8 wherein 
the step of sending the statistical information comprises: 

searching the application-classifier tables for matching 
entries having a source and a destination IP address that 
match a source and a destination IP address that the 
policy server obtained by examining a network packet, 
the network packet not containing the name of the 
high-level application; and 

reading the name of the application from the matching 
entries and sending the name of the high-level appli- 
cation to the policy server as the high-level application 
that generated the network packet examined by the 
policy server, 

wherein the policy server prioritizes network traffic based on 
high-level applications rather than low-level IP addresses. 

10. The computer-implemented method of claim 9 further 
comprising: 

generating an event object when the application-classifier 
plugin is activated, the event object indicating a type of 
network activity performed by the socket function, the 
event object containing the statistical information; 

sending the event object to the application-classifier 
tables, the statistical information being added to the 
application-classifier tables. 

11. The computer-implemented method of claim 10 fur- 
ther comprising: 

finding bandwidth-hogging applications by reading byte- 
count fields in the application-classifier tables and 
comparing the byte-count fields to a threshold, 

wherein applications with network flows having byte- 
counts above the threshold are identified as high- 
bandwidth applications. 

12. The computer- implemented method of claim 11 fur- 
ther comprising: 

using the timestamp in the statistical information and the 
number of byte transmitted to determine a rate of byte 
transfer; 

storing the rate of byte transfer in the application- 
classifier tables. 

13. The computer-implemented method of claim 8 
wherein the application-classifier plugin is transparent to 
high-level applications, the application-classifier plugin per- 
forming low-level network services. 

14. A computer-program product comprising: 

a computer-usable medium having computer-readable 
program code means embodied therein for classifying 
network traffic according to high-level application 
name, the computer-readable program code means in 
the computer-program product comprising: 
socket means for receiving data for transmission over a 
network, the data from a high-level application that 
uses a high-level library of socket-functions for 
sending the data to the socket means; 
transport means for sending the data to a lower-level 
network-transport layer, the lower-level network- 
transport layer for formatting the data for transmis- 
sion over the network; and 
extensible service provider means, coupled to the 
socket means and to the transport means, for acti- 
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vating a application-classifier plugin when the data is 
sent to the transport means, the extensible service 
provider means further for activating other plugins; 
the application-classifier plugin including means for 
collecting information about the data, the informa- 
tion including a name of the high-level application 
generating the data, a source address and a destina- 
tion address, and a timestamp; 
whereby the data is classified by the name of the high-level 
application generating the data sent to the network. 

15. The computer-program product of claim 14 wherein 
the computer-readable program code means further com- 
prises: 

a consolidator, coupled to the application-classifier 
plugin, for storing the information collected in 
application-classifier tables with information collected 
for network data transmissions for other high-level 
applications, 

whereby the information is stored in the application- 
classifier tables. 

16. The computer-program product of claim 15 wherein 
the computer-readable program code means further com- 
prises: 

reporting means, coupled to the consolidator, for receiv- 
ing requests from a policy server on a remote machine 
on the network, for reading the application-classifier 
tables and returning to the policy server the name of the 
high-level application from the application-classifier 
tables, 

whereby the policy server looks up the name of the 
high-level application sending the data to the network. 

17. The computer-program product of claim 16 wherein 
the request from the policy server includes source and 
destination IP addresses from data packets sent over the 
network from the socket means, but the data packets do not 
contain the name of the high-level application sending the 
data, 
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whereby the policy server cannot obtain the name of the 
high-level application from the data packets but only from 
the application-classifier tables. 

18. The computer-program product of claim 16 wherein 
the computer-readable program code means further com- 
prises: 

filtering means for comparing transmission information 
for the data from the socket means to predetermined 
transmission criteria, for indicating when a socket 
matches the predetermined transmission criteria; 

wherein the extensible service provider means only acti- 
vates the application-classifier plugin when the socket 
matches the predetermined transmission criteria. 

19. The computer-program product of claim 18 wherein 
the computer-readable program code means further com- 
prises: 

a blocking plugin, coupled to the extensible service pro- 
vider means, for blocking the data from being trans- 
mitted to the network; 

wherein the policy server determines which data is low- 
priority data by reading the names of high-level appli- 
cations from the application-classifier tables; 

wherein the blocking plugin blocks low-priority data from 
being transmitted on the network to reduce network 
traffic, the blocking plugin under control of the policy 
server, 

whereby the low-priority data is blocked at the source 
before being sent over the network. 

20. The computer-program product of claim 16 wherein 
the application-classifier plugin and extensible service pro- 
vider means are installed on a client machine, 

whereby the client machine collects the information for use 
by the policy server. 



09/02/2003, EAST Version: 1.04.0000 



